When a company cannot see all of its assets, whether in the plant or in the field, it is operating in the dark. To protect your business, you need a clear view of operational technology (OT) and Industrial Internet of Things (IIoT) components, firmware, network protocols and vulnerabilities.
But mere visibility of assets is insufficient to protect critical operations, ensure availability and avert revenue disruptions given today’s threat landscape. And while monitoring network and asset behavior can give network engineers the data that they need to prioritize risks and react accordingly, some threats move too quickly to rely on human intervention. To stop those fastest-moving threats, your company needs automated protections to sense and stop threats while simultaneously reporting them.
The greatest benefit comes from maximizing both visibility and protection, and leading organizations across manufacturing, power and energy and other industries are taking just such an approach to contemporary OT security.
Benefits of Visibility
Visibility is the first crucial layer of OT security, providing your business with a valuable tool in a variety of areas such as regulatory compliance and maintenance efficiency. Automated inventory, for example, provides instant insight into the OT applications, IIoT elements and industrial control systems (ICS) that are running across and beyond the shop floor. Your company never has to miss another security patch simply because it doesn’t know which apps are running where.
Coupled with threat intelligence, automated inventory allows security policies to be automatically generated. These trust lists pinpoint the controls necessary to protect an asset without slowing down the system to randomly check for threats that aren’t applicable.
Gaining visibility also allows you to expand your view from apps on a single asset to apps across the entire network. You can immediately understand how your network works and become aware of traffic patterns for normal operations, providing a valuable baseline for detecting anomalies and, as necessary, reconfiguring or upgrading. For example, key assets can be segmented into safety work cells so that they work in isolation to increase efficiency.
Collecting real-time OT data, furthermore, empowers machine learning to continually improve the accuracy of threat predictions and to inform the maintenance necessary for maximizing asset life. For example, the capability to perform this sort of data monitoring could mean the oil in a machine need changing only when it becomes dirty, rather than on some arbitrary schedule that wastes resources.
A system can be calibrated to send focused, actionable alerts to accelerate incident response time. Time-saving dashboards can focus attention on key concerns by summarizing risks and threats. And fast forensic analysis can be enabled by correlation and consolidation of alerts, providing operational and security context and supplying automatic packet captures for investigation. You get a snapshot before and after the attack, along with ad hoc query tools, to support investigations.
Such capabilities for visibility could factor heavily into your company’s regulatory compliance. Visibility is a key component for the first function, “Identify,” of the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework, for example.
Benefits of Protection
Still, providing visibility over assets, alarms of potentially malicious activity and analysis of events is not enough in OT. In this space, with its highly specialized and complex systems of both leading-edge and legacy devices that are directly feeding your company’s revenues, there exists an importance to keep operations running at all costs. Indeed, this is the key differentiator that your company must understand relative to OT security.
Traditional information security (IT) cybersecurity practices are conceived on prioritizing the confidentiality of data and systems first, their integrity second and availability third— “CIA.” Your company cannot tolerate downtime in OT, which is why state-of-the-art approaches to securing ICS in the IIoT age flip the prioritization to “AIC”—availability first, integrity second and confidentiality third. Protection is simply a must-have in OT security.
Auto-protections take advantage of all the benefits of monitoring operations and then go further. Autogenerated security policies adapt to the current situation so that automated protections can fire back a split second after a threat is detected. Additionally, firewalls can be configured to block malicious traffic before it enters a safety segment. Deep packet inspection of the most commonly used OT protocols is required.
Of course, blocking traffic may slow down production during a false alarm, but that calculated list must be weighed against the risk of having to clean up after a full-blown attack. OT cybersecurity systems work best when they are calibrated to achieve the optimal defensive posture through a combination of automatic tuning, as well as human intuition and network/endpoint security expertise. For example, let’s assume that during normal operations your company’s firewalls are configured to drop and block malicious network traffic.
Auto-generated trust lists can inform the firewall when current traffic patterns match known malware or a payload anomaly that appears to be a variant of malware or a suspicious unknown pattern. The firewall drops the packet so it will not contaminate operations and enters packet data in the log for further investigation. Then, if the plant receives a rush order, you could make the decision to risk cyber infection to gain every second of production speed. Engineers would turn off auto-protections, so the firewall only monitors traffic and reports suspicious patterns to the log.
Again, regulatory compliance could be a key driver in your company’s commitment to protection. The second function of the NIST Cybersecurity Framework is “Protect.”
Maximizing the Benefits of Both
The OT world is being targeted more and more frequently for exploitation. Some ICS and IIoT systems include legacy devices that were designed before cybersecurity became a serious concern, leaving them highly vulnerable to modern digital threats.
Gathering an understanding of the unique challenge presented by OT security has informed the rollout of a purpose-built approach to the task. Both visibility and protection play crucial, interrelated roles, arming your company to protect assets, ensure availability and avert revenue disruptions most effectively.
